detach checksums from makebuildserver
Right now, ./makebuildserver
includes a list of packages to install and their checksums. This is manually managed directly in the script. That adds friction to the buildserver update process, since those packages can only be defined in ./makebuildserver
.
I just created https://gitlab.com/fdroid/gradle-transparency-log which uses gitlab-ci to automatically download and commit the checksums from https://gradle.org/release-checksums/ to that git repo. It checks the three components: gradle-*-bin.zip, gradle-*-all.zip, and gradle-wrapper.jar.
I think this approach could be used for all the packages, also the Android SDK packages. If we want to keep some kind of manual review, we could require that ./makebuildserver
only used a signed git tag of that log.
@est @relan @Bubu @uniqx @licaon-kter what do you think? If you think this is useful, I'll also create an android-sdk-transparency-log.